Open Bug 1530755 Opened 5 years ago Updated 2 years ago

When cookie lifetimePolicy is session-only, visiting an unwhitelisted subdomain causes cookies from *whitelisted* subdomains to be removed on shutdown

Categories

(Toolkit :: Data Sanitization, defect, P3)

Product:
Toolkit
Component:
Data Sanitization
Type:
defect

Tracking

()

People

(Reporter: me, Unassigned)

References

Details

Attachments

(1 file)

Testcase (requires installation into two subdomains)
620 bytes, text/html
Details

ith network.cookie.lifetimePolicy=2 (i.e. session only), visiting an unwhitelisted subdomain causes cookies from whitelisted subdomains of the same base domain to be removed on shutdown. This only happens if both sub-domains set a cookie.

It looks like the cookie cleaning code always clears the whole base domain, so if you ever visit a subdomain that is not whitelisted you trigger the cleaning of the whole base domain including all your whitelisted subdomains (of that base domain). An obvious user workaround is to whitelist the entire base domain.

I found Bug 1524674 while filing this but I think it's different (I'm testing in Fx66b11 which I believe contains the fixes from that bug).

Steps to reproduce:

  1. Create new Firefox profile.
  2. Go to about:preferences#privacy
  3. Under the "Cookies and Site Data" section:
    3a. Check "Delete cookies and site data when Firefox is closed".
    3b. Click "Manage Permissions" then enter and Allow the following URL: https://www.viewranger.com then "Save Changes".
  4. Visit https://www.viewranger.com and click the "accept cookies" button (developer tools shows a cc_cookie_accept cookie has been created).
  5. Restart Firefox then visit https://www.viewranger.com to confirm that the cookie consent banner is not displayed (developer tools shows the cc_cookie_accept cookie is still around).
  6. Restart Firefox then visit https://my.viewranger.com
  7. Restart Firefox then visit https://www.viewranger.com

Expected results

  1. The cookie banner on https://www.viewranger.com should not be displayed.

Actual results

  1. The cookie banner on https://www.viewranger.com is displayed (developer tools shows the cc_cookie_accept cookie is gone).

Notes
The STR also works if you reverse the two URLs, if you whitelist https://my.viewranger.com its cookies will be deleted on shutdown after visiting https://www.viewranger.com.

Tested on Mozilla 66 beta 11 on Windows 10 v1809.

The attached testcase will also show the problem if you copy it into two different subdomains of the same base domain.

Off-hand this seems like unwanted behavior to me but maybe Baku knows a reason why we're doing this on purpose. Otherwise I'd say it's a bug.

Priority: -- → P3
Severity: normal → S3
See Also: → 1681493
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: